Explorer

Question

PORTS

Forum|Forum|4 months ago
January 14, 2026
5 replies
2022 views

Good morning,

We have a FortiGate 50G installed at home. The device has been set by the company who sold it to us. The FortiGate is used over 2 routers from 2 different providers. We have asked the company to close all the ports as the use of internet here is domestic. When using nmap in order to check possible open ports, the results are:

113/tcp closed ident

2000/tcp open cisco-sccp

5060/tcp open sip

I have used the WAN IP of the Forti as target. Maybe I am doing it wrongly... Here there is the Firewall Policy:

Captura de pantalla 2026-01-14 a las 12.24.01.jpeg

The company told us that the ports are closed but here at home we are a little bit worried. Please, could you confirm that the policies are correct in order to close all the ports? If positive, how is it possible that nmap shows open ports (I have done the process 4 or 5 times)?

We are not professional here and our goal is to be completely protected only.

Thank you very much.

FortiGate

AEK

SuperUser

Hi FortiSpain

Here I see you don't have any policy allowing anything from WAN to LAN. There is only from LAN to LAN, and from VPN tunnel to LAN and WAN.

You can check if those open ports are actually for local-in traffic, I mean to address the firewall itself.

You can check it as follows:

Check if the WAN interfaces have any published service (HTTPS, SSH, ... etc)
Check the ports used for SSL VPN and/or IPsec VPN if they match the ports found by nmap

If nothing found, then probably the front-end routers are the main suspects.

AEK

FortiSpainAuthor

Explorer

Hi AEK,

Thank you very much for your answer.

Regarding the Wan interfaces:

Captura de pantalla 2026-01-18 a las 19.07.02 (1).jpeg

In local in Policy, you can see this:

Captura de pantalla 2026-01-18 a las 19.18.01.jpeg

The last nmap scan (first 10000 ports) shows this: allthe ports (TCP) are open. We are worried...

Thanks for your help.

AEK

SuperUser

I don't see any port similar to the 3 mentioned in your first post.

Then it is probably from the ISP router.

AEK

FortiSpainAuthor

Explorer

Thank you very much for your help. How can I close almost all the ports on the routers? Because I know I have never open any port as the function options are quite limited when editing the router. Do you think that having open ports means a risk when our domestic net is only connected by ethernet (No wifi)?

Thanks again.

AEK

SuperUser

How to close ports depends on the brand and model of the router.

An open port (listening service) is an additional risk. One of main security rules is to close all ports that are not required. The same applies to Ethernet and WiFi.

AEK

SuperUser

"I use occasionally a phone plugged to the router"

That explains why SIP and SCCP are listening.

If you want to protect them with the FortiGate you will need to change your design to bring your VoIP behind the firewall instead of leaving it at front-end router level.

Meanwhile you should keep everything patched (router, phone, FGT) to avoid known vulnerabilities, and you may also work with a pentester to check if there are some exploitable breaches.

AEK

FortiSpainAuthor

Explorer

Hi AEK and thank you very much for your time.

If you want to protect them with the FortiGate you will need to change your design to bring your VoIP behind the firewall instead of leaving it at front-end router level.

That sounds very well. I asked the company who installed the firewall to do it but they say that they are not able to make it.

Could you be so kind as to let me know the steps in order to bring my VoIP behind the firewall? It is really important for us.

Thank you.

AEK

SuperUser

Hello FortiSpain

Unfortunately I don't have enough knowledge in VoIP. Hope another experienced member can help.

AEK

FortiSpainAuthor

Explorer

Well, this is the result of the last scan I have run (sudo nmap -Pn -p- -T5 -sV). Same results on both routers:

Not shown: 65533 filtered tcp ports (no-response)

PORT STATE SERVICE VERSION

113/tcp closed ident

8020/tcp open http-proxy FortiGuard Web Filtering

What do you think?

Thank you

AEK

SuperUser

Now it is much better. Remaining open ports are most probably on the router, and as I said it may be a good idea to change the VoIP design, but here I can't help.

AEK

SuperUser

Also I assume you are scanning from outside.

Beaides I didn't notice port 8020. It is metioned FortiGuard.. but it is a good idea to try find what is really listening behind.

AEK

FortiSpainAuthor

Explorer

And just for your information, this is what nmap "told" me:

PORT STATE SERVICE VERSION

8020/tcp open http-proxy FortiGuard Web Filtering

| http-open-proxy: Potentially OPEN proxy.

|_Methods supported:CONNECTION

|_http-title: Web Filter Block Override

PORT STATE SERVICE VERSION

8020/tcp open http-proxy FortiGuard Web Filtering

| http-phpmyadmin-dir-traversal:

| VULNERABLE:

| phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion

| State: UNKNOWN (unable to test)

| IDs: CVE:CVE-2005-3299

| PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.

|

| Disclosure date: 2005-10-nil

| Extra information:

| ../../../../../etc/passwd :

| <!DOCTYPE html>

| <html lang="en">

| <head>

| <meta charset="UTF-8">

| <meta http-equiv="X-UA-Compatible" content="IE=8; IE=EDGE">

| <meta name="viewport" content="width=device-width, initial-scale=1">

| <style type="text/css">

| body {

| height: 100%;

| font-family: Helvetica, Arial, sans-serif;

| color: #6a6a6a;

| margin: 0;

| display: flex;

| align-items: center;

| justify-content: center;

| }

| input[type=date], input[type=email], input[type=number], input[type=password], input[type=search], input[type=tel], input[type=text], input[type=time], input[type=url], select, textarea {

| color: #262626;

| vertical-align: baseline;

| margin: .2em;

| border-style: solid;

| border-width: 1px;

| border-color: #a9a9a9;

| background-color: #fff;

| box-sizing: border-box;

| padding: 2px .5em;

| appearance: none;

| border-radius: 0;

| }

| input:focus {

| border-color: #646464;

| box-shadow: 0 0 1px 0 #a2a2a2;

| outline: 0;

| }

| button {

| padding: .5em 1em;

| border: 1px solid;

| border-radius: 3px;

| min-width: 6em;

| font-weight: 400;

| font-size: .8em;

| cursor: pointer;

| }

| button.primary {

| color: #fff;

| background-color: rgb(47, 113, 178);

| border-color: rgb(34, 103, 173);

| }

| .message-container {

| height: 500px;

| width: 500px;

| padding: 0;

| margin: 10px;

| }

| .logo {

| background: url(http://static-[...........].ipcom.comunitel.net:8008/XX/YY/ZZ/CI/MGPGHGPGPFGHDDPFGGHGFHBGCHEGPFBGAHAH) no-repeat left center;

| height: 267px;

| object-fit: contain;

| }

| table {

| background-color: #fff;

| border-spacing: 0;

| margin: 1em;

| }

| table > tbody > tr > td:first-of-type:not([colspan]) {

| white-space: nowrap;

| color: rgba(0,0,0,.5);

| }

| table > tbody > tr > td:first-of-type {

| vertical-align: top;

| }

| table > tbody > tr > td {

| padding: .3em .3em;

| }

| .field {

| display: table-row;

| }

| .field > :first-child {

| display: table-cell;

| width: 20%;

| }

| .field.single > :first-child {

| display: inline;

| }

| .field > :not(:first-child) {

| width: auto;

| max-width: 100%;

| display: inline-flex;

| align-items: baseline;

| vertical-align: top;

| box-sizing: border-box;

| margin: .3em;

| }

| .field > :not(:first-child) > input {

| width: 230px;

| }

| .form-footer {

| display: inline-flex;

| justify-content: flex-start;

| }

| .form-footer > * {

| margin: 1em;

| }

| .text-scrollable {

| overflow: auto;

| height: 150px;

| border: 1px solid rgb(200, 200, 200);

| padding: 5px;

| font-size: 1em;

| }

| .text-centered {

| text-align: center;

| }

| .text-container {

| margin: 1em 1.5em;

| }

| .flex-container {

| display: flex;

| }

| .flex-container.column {

| flex-direction: column;

| }

| </style>

| <title>Web Filter Block Override</title>

| </head>

| <body><div class="message-container">

| <div class="logo"></div>

| <h1>FortiGuard Intrusion Prevention - Access Blocked</h1>

| <h3>Web Filter Block Override</h3>

| <p>Please contact your administrator to gain access to the web page.</p>

| <div><font color="#FF0000">Invalid FortiGuard Web Filtering override request.</font></div>

| </div></body>

| </html>

And that's all... (I have deleted my IP)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded